AuthorTopic: DNSSEC on Reverse IPv6 zones via HE? (Read 2901 times)

With the DNS root data being signed as of July 1, 2010, this got me thinking. Will HE offer DNSSEC for our tunnels' reverse zones? We already have may have 3 DNS servers for the reverse zones, but there's no place to add DS information....

Is this on the list of things to add? Will it be ready in July? Will HE secure its main reverse zone ("0.7.4.0.1.0.0.2.ip6.arpa")? (And, will ns1.he.net ever get an IPv6 address?)

Maybe in the future, no changes to production equipment at this time.NS1 gets one when you can promise that someone dual-stacked with broken IPv6 connectivity won't have issues when all authoritative NS are on both stacks.

Similar principal, we provide web hosting (and now DNS hosting) where our ns1-5 are the authoritative NS, so this configuration keeps the first/primary/etc NS available even to broken IPv6 configured machines, and thus our customers websites don't get a "slow" feel with waiting 30-60s for broken IPv6 connectivity to time out and perform lookups against our NS over IPv4.

Although HE hasnít updated this topic, I can say that all my zones, including reverse zones, are DNSSEC signed and seemed to be served properly, but there isnít a delegation chain. ISC shouldnít have shut down its DLV function because of this, but it closed in 2017.

Providing signatures where the chain is lacking may be a bandwidth waste, but at least it doesnít break the DNS.